Re: Local Policies with Roaming Profiles - Security ID Prob

From: Steven L Umbach (sumbach_at_ameritech.net)
Date: 04/29/03 

Date: Tue, 29 Apr 2003 15:02:39 GMT

     Hi Kris. I am not quite sure what problem you are experiencing, but I
am not surprised you are having problems though because there are user
identities associated with a user profile, even on a local machine. So user
Jim on computer 1 is not the same person as user Jim on computer 2 when it
comes to system internals. I am not sure if it is possible to accomplish
what you want to do in a workgroup. --- Steve

"Kris Hyde" <k.hyde@umist.ac.uk> wrote in message
news:da8e631b.0304290110.45918e17@posting.google.com...
> Thanks for the posting Steve. I agree completely with the theory of
> what you say... it just doesn't seem to work. Theory goes that as they
> are only local policies, they should be stored in the Group Policies
> folder in the system32 drectory. As long as I've configured the
> security tab for that folder correctly, it should work a treat. And it
> does, even when the profiles are set to roaming. The only prob arises
> when a second computer tries overwrite the copy of the profile, then
> all policies stop being applied. If there isn't some infomation within
> the profile about the policies, then the prob must be to do with the
> Security ID. When the second computer overwrites the origional profile
> on the server, it must tag the profile with that computer's profile's
> SID. I'm guessing that other computers won't then recognise that SID
> and despite loading the Desktop, My Documents... etc, it refuses to
> apply the local policies (I assume because it recognises that its not
> a local SID).
>
> Sadly, as people may have guessed, my knowledge of SIDs is poor. Is
> there any way of convincing the computer to apply local policies to
> what it will regard as non-local users? Or of somehow obtaining the
> SIDs of each an individuals accounts on each computer and storing all
> of these in their centrally stored profile, so that each computer will
> regard it as 'local'?
>
> Any help would be appreciated,
>
> Kris
>
>
>
> "Steven L Umbach" <n9rou@attbi.com> wrote in message
news:<Mgkra.678978$S_4.728622@rwcrnsc53>...
> > Security/group policies are not configured by user profiles. Use the
> > gpedit.msc snap in toconfigure policies on a stand alone machine. The
user
> > configuration policies will apply equally to all users by default. --
> > Steve
> >
> "Kris Hyde" <k.hyde@umist.ac.uk> wrote in message
> news:da8e631b.0304280526.1c4ea566@posting.google.com...
> > Hi,
> >
> > Due to restrictions within our organisation we cannot setup a child
> > domain within the existing network for our group. Thus we have a
> > workgroup, and an accout is setup on every computer for each user.
> > Local policies are applied to the accounts at this stage. All the
> > profiles on each computer then have their profile path set to the
> > users' shared folder on the server, and local copies of the profiles
> > are set to be automatically deleted. Thus, there is one copy of each
> > profile which is downloaded on logon and updated on logout.
> >
> > The problem I have is this: When I transfer all of the profiles from a
> > computer (call it Computer 1) all of the local policies are still
> > applied when the users subsequently login. When I then try and repeat
> > the procedure on a second computer (Computer 2) everything initally
> > seems ok as users can log in and out of computer 2 fine, with all of
> > the policies applied. However, when a user attempts to login to
> > Computer 1, none of the policies are applied. Somewhere in the users
> > profile folder on the server, the local policies for computer 2 have
> > overwritten those for computer 1, and computer 1 can't read computer
> > 2's policies (something to do with the Security ID?). The only way
> > I've found around this problem is to give all the users on Computer 1
> > Administrator priveleges, which is obviously not ideal!
> >
> > Does anyone know where this data may be stored within the profile, and
> > how I can convince users to be able to access it without giving them
> > full Admin rights? I'm guessing that I only have to play with the ACL
> > of the file or soemthing.
> >
> > Cheers,
> >
> > Kris

Relevant Pages

  • Re: Local Policies with Roaming Profiles - Security ID Prob
    ... are only local policies, they should be stored in the Group Policies ... when a second computer tries overwrite the copy of the profile, ... I'm guessing that other computers won't then recognise that SID ...
    (microsoft.public.win2000.security)
  • RE: gp still tatooing!
    ... > more and more policies. ... > policies tatooed locally stored locopy of user profile and when the profile ... > when the affected user logs onto another workstation (the one that he had ... > never log on to) he gets a new local profile and no policies are applied to ...
    (microsoft.public.windows.server.active_directory)
  • RE: gp still tatooing!
    ... the article "Understanding Policy Tattooing" ... >> i check affected user with GPResults and it showes than no policies are ... >> policies tatooed locally stored locopy of user profile and when the profile ... >> never log on to) he gets a new local profile and no policies are applied to ...
    (microsoft.public.windows.server.active_directory)
  • Re: gp still tatooing!
    ... "Piotr Majcher" wrote in message ... > does anyone know how can I avoid tattooing local user profiles? ... >>>> i check affected user with GPResults and it showes than no policies ... >>>> policies tatooed locally stored locopy of user profile and when the ...
    (microsoft.public.windows.server.active_directory)
  • Folder redirection and Terminal Services profiles
    ... policies, ... use Terminal Services to access a Winframe server, ... Directory that allows you to specify a Terminal Services profile, ... that policy when logging on to their own PC, but not the Winframe ...
    (microsoft.public.win2000.group_policy)